SSSD AutoFS Integration
Integrate SSSD and autofs for looking up automounter data stored in cetralized remote directories such as LDAP.
- Targeted release: Fedora 17
- Last updated: 2012-01-03
- Percentage of completion: 30%
Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.
The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).
Benefit to Fedora
The benefits of the integration are:
- unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
- autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
- only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
- caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
- offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
- back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently
This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the SSSD wiki
- The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
- SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.
How To Test
- configure the setup (details TBD as we work out the config options)
- configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
- configure autofs to perform lookups via SSSD (nsswitch.conf)
- test that mounting shares still works as expected
- perform the first mount while the LDAP server is running in order to cache the data on the client side
- stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work
The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.
As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.
None required, Fedora would keep using the LDAP lookup module in autofs.
There is no user-visible documentation as of now, but the feature will be documented in the SSSD (and possibly autofs) manual pages. The SSSD team is also going to provide a migration guide which will help users transition from the old plain LDAP setup to the SSSD setup. No automatic migration would be performed, though.
Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.